When you are writing code for large open-source projects like WordPress, you must realize that your code will potentially be used by millions of other people who use WordPress. WordPress powers more than one-third of the web and the chances of someone using your code in their project are high.
Security is important and as a developer, you must take extra steps to keep your codebase secure. You must follow proper WordPress coding standards and ensure that the data you accept, process, store, and display on the website is safe for everyone.
Here’s a good place to start:
In general, good security means not trusting user input — any input from $_POST, $_GET, or command-line arguments should be validated before use. This prevents injection attacks, such as Bobby Tables. For a good listing on avoid SQL injection in generic PHP and WordPress, see BobbyTables.com/php.
SQL injection is just one attack trajectory. Script injection, such as in Cross-Site Scripting attacks, is another major concern. Ideally, data would be validated at input and sanitized or escaped at output.
For generic HTML output, see wp_kses() and wp_kses_post(). The _post() variant allows all HTML that’s valid for post_content, but doesn’t allow form fields or script tags. Also see wp_strip_all_tags(), which will strip all tags and <style> and <script> content.
Also see “sanitize_” functions. sanitize_key(), sanitize_title(), and sanitize_email() are especially notable. is_email() can also be useful.
Important default PHP functions for dealing with user input include filter_input() and filter_var() along with their various options.
Nonces play a part in validating that a form submitted by a user was intended to be submitted. See Using Nonces.